Add client credentials support to everything-client

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+  "workbench.colorTheme": "Solarized Dark"
+}

examples/clients/typescript/everything-client.ts

@@ -12,9 +12,15 @@
  * consolidating all the individual test clients into one.
  */
 
+import { fileURLToPath } from 'url';
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import {
+  ClientCredentialsProvider,
+  PrivateKeyJwtProvider
+} from '@modelcontextprotocol/sdk/client/auth-extensions.js';
 import { ElicitRequestSchema } from '@modelcontextprotocol/sdk/types.js';
+import { ConformanceContextSchema } from '../../../src/schemas/context.js';
 import { withOAuthRetry } from './helpers/withOAuthRetry.js';
 import { logger } from './helpers/logger.js';
 
@@ -175,6 +181,96 @@ async function runElicitationDefaultsClient(serverUrl: string): Promise<void> {
 
 registerScenario('elicitation-defaults', runElicitationDefaultsClient);
 
+// ============================================================================
+// Client Credentials scenarios
+// ============================================================================
+
+/**
+ * Parse the conformance context from MCP_CONFORMANCE_CONTEXT env var.
+ */
+function parseContext() {
+  const raw = process.env.MCP_CONFORMANCE_CONTEXT;
+  if (!raw) {
+    throw new Error('MCP_CONFORMANCE_CONTEXT not set');
+  }
+  return ConformanceContextSchema.parse(JSON.parse(raw));
+}
+
+/**
+ * Client credentials with private_key_jwt authentication.
+ */
+export async function runClientCredentialsJwt(
+  serverUrl: string
+): Promise<void> {
+  const ctx = parseContext();
+  if (ctx.name !== 'auth/client-credentials-jwt') {
+    throw new Error(`Expected jwt context, got ${ctx.name}`);
+  }
+
+  const provider = new PrivateKeyJwtProvider({
+    clientId: ctx.client_id,
+    privateKey: ctx.private_key_pem,
+    algorithm: ctx.signing_algorithm || 'ES256'
+  });
+
+  const client = new Client(
+    { name: 'conformance-client-credentials-jwt', version: '1.0.0' },
+    { capabilities: {} }
+  );
+
+  const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+    authProvider: provider
+  });
+
+  await client.connect(transport);
+  logger.debug('Successfully connected with private_key_jwt auth');
+
+  await client.listTools();
+  logger.debug('Successfully listed tools');
+
+  await transport.close();
+  logger.debug('Connection closed successfully');
+}
+
+registerScenario('auth/client-credentials-jwt', runClientCredentialsJwt);
+
+/**
+ * Client credentials with client_secret_basic authentication.
+ */
+export async function runClientCredentialsBasic(
+  serverUrl: string
+): Promise<void> {
+  const ctx = parseContext();
+  if (ctx.name !== 'auth/client-credentials-basic') {
+    throw new Error(`Expected basic context, got ${ctx.name}`);
+  }
+
+  const provider = new ClientCredentialsProvider({
+    clientId: ctx.client_id,
+    clientSecret: ctx.client_secret
+  });
+
+  const client = new Client(
+    { name: 'conformance-client-credentials-basic', version: '1.0.0' },
+    { capabilities: {} }
+  );
+
+  const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+    authProvider: provider
+  });
+
+  await client.connect(transport);
+  logger.debug('Successfully connected with client_secret_basic auth');
+
+  await client.listTools();
+  logger.debug('Successfully listed tools');
+
+  await transport.close();
+  logger.debug('Connection closed successfully');
+}
+
+registerScenario('auth/client-credentials-basic', runClientCredentialsBasic);
+
 // ============================================================================
 // Main entry point
 // ============================================================================
@@ -216,7 +312,10 @@ async function main(): Promise<void> {
   }
 }
 
-main().catch((error) => {
-  console.error('Unhandled error:', error);
-  process.exit(1);
-});
+// Only run main when this file is executed directly, not when imported as a module
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  main().catch((error) => {
+    console.error('Unhandled error:', error);
+    process.exit(1);
+  });
+}

src/runner/client.ts

@@ -35,7 +35,11 @@ async function executeClient(
   const env = { ...process.env };
   env.MCP_CONFORMANCE_SCENARIO = scenarioName;
   if (context) {
-    env.MCP_CONFORMANCE_CONTEXT = JSON.stringify(context);
+    // Include scenario name in context for discriminated union parsing
+    env.MCP_CONFORMANCE_CONTEXT = JSON.stringify({
+      name: scenarioName,
+      ...context
+    });
   }
 
   return new Promise((resolve) => {

src/scenarios/client/auth/client-credentials.ts

@@ -51,9 +51,8 @@ export class ClientCredentialsJwtScenario implements Scenario {
       tokenEndpointAuthSigningAlgValuesSupported: ['ES256'],
       onTokenRequest: async ({ grantType, body, timestamp, authBaseUrl }) => {
         // Per RFC 7523bis, the audience MUST be the issuer identifier
-        const issuerUrl = authBaseUrl.endsWith('/')
-          ? authBaseUrl
-          : `${authBaseUrl}/`;
+        // The SDK uses metadata.issuer as audience, which matches authBaseUrl
+        const issuerUrl = authBaseUrl;
         if (grantType !== 'client_credentials') {
           this.checks.push({
             id: 'client-credentials-grant-type',
@@ -98,8 +97,15 @@ export class ClientCredentialsJwtScenario implements Scenario {
         // Verify JWT signature and claims using the generated public key
         try {
           // Per RFC 7523bis, audience MUST be the issuer identifier
+          // Per RFC 3986, URLs with and without trailing slash are equivalent,
+          // so we normalize by removing trailing slashes for comparison
+          const normalizedIssuerUrl = issuerUrl.replace(/\/+$/, '');
           const { payload } = await jose.jwtVerify(clientAssertion, publicKey, {
-            audience: issuerUrl,
+            audience: [
+              issuerUrl,
+              normalizedIssuerUrl,
+              `${normalizedIssuerUrl}/`
+            ],
             clockTolerance: 30
           });
 

src/scenarios/client/auth/index.test.ts

@@ -10,24 +10,32 @@ import { runClient as ignoreScopeClient } from '../../../../examples/clients/typ
 import { runClient as partialScopesClient } from '../../../../examples/clients/typescript/auth-test-partial-scopes';
 import { runClient as ignore403Client } from '../../../../examples/clients/typescript/auth-test-ignore-403';
 import { runClient as noRetryLimitClient } from '../../../../examples/clients/typescript/auth-test-no-retry-limit';
+import {
+  runClientCredentialsJwt,
+  runClientCredentialsBasic
+} from '../../../../examples/clients/typescript/everything-client';
 import { setLogLevel } from '../../../../examples/clients/typescript/helpers/logger';
 
 beforeAll(() => {
   setLogLevel('error');
 });
 
 const skipScenarios = new Set<string>([
-  // Client credentials scenarios require SDK support for client_credentials grant
-  // Pending typescript-sdk implementation
-  'auth/client-credentials-jwt',
-  'auth/client-credentials-basic'
+  // Add scenarios that should be skipped here
 ]);
 
 const allowClientErrorScenarios = new Set<string>([
   // Client is expected to give up (error) after limited retries, but check should pass
   'auth/scope-retry-limit'
 ]);
 
+// Map of scenario names to their specific client handlers
+const scenarioClientMap: Record<string, (serverUrl: string) => Promise<void>> =
+  {
+    'auth/client-credentials-jwt': runClientCredentialsJwt,
+    'auth/client-credentials-basic': runClientCredentialsBasic
+  };
+
 describe('Client Auth Scenarios', () => {
   // Generate individual test for each auth scenario
   for (const scenario of authScenariosList) {
@@ -36,7 +44,9 @@ describe('Client Auth Scenarios', () => {
         // TODO: skip in a native way?
         return;
       }
-      const runner = new InlineClientRunner(goodClient);
+      // Use scenario-specific client if available, otherwise use goodClient
+      const clientFn = scenarioClientMap[scenario.name] ?? goodClient;
+      const runner = new InlineClientRunner(clientFn);
       await runClientAgainstScenario(runner, scenario.name, {
         allowClientError: allowClientErrorScenarios.has(scenario.name)
       });

src/scenarios/client/auth/test_helpers/testClient.ts

@@ -107,6 +107,16 @@ export async function runClientAgainstScenario(
   const serverUrl = urls.serverUrl;
 
   try {
+    // Set environment variables for inline clients
+    // These mirror what src/runner/client.ts does for spawned processes
+    process.env.MCP_CONFORMANCE_SCENARIO = scenarioName;
+    if (urls.context) {
+      process.env.MCP_CONFORMANCE_CONTEXT = JSON.stringify({
+        name: scenarioName,
+        ...urls.context
+      });
+    }
+
     // Run the client
     try {
       await runner.run(serverUrl);
@@ -166,6 +176,10 @@ export async function runClientAgainstScenario(
       }
     }
   } finally {
+    // Clean up environment variables
+    delete process.env.MCP_CONFORMANCE_SCENARIO;
+    delete process.env.MCP_CONFORMANCE_CONTEXT;
+
     // Stop the scenario server
     await scenario.stop();
   }

src/schemas/context.ts

@@ -0,0 +1,23 @@
+import { z } from 'zod';
+
+/**
+ * Schema for conformance test context passed via MCP_CONFORMANCE_CONTEXT.
+ *
+ * Each variant includes a `name` field matching the scenario name to enable
+ * discriminated union parsing and type-safe access to scenario-specific fields.
+ */
+export const ConformanceContextSchema = z.discriminatedUnion('name', [
+  z.object({
+    name: z.literal('auth/client-credentials-jwt'),
+    client_id: z.string(),
+    private_key_pem: z.string(),
+    signing_algorithm: z.string().optional()
+  }),
+  z.object({
+    name: z.literal('auth/client-credentials-basic'),
+    client_id: z.string(),
+    client_secret: z.string()
+  })
+]);
+
+export type ConformanceContext = z.infer<typeof ConformanceContextSchema>;